1. Field of the Invention
The present invention relates to a data communications system and a data communications method, in which data is communicated via a data communications network.
2. Description of the Related Art
Conventionally known is a technique to control a traffic amount in a data communications network by causing a transfer device, which configures a data communications system, to measure the number or amount of data (for example, the number or amount of packets) passing through the transfer device within a certain period of time.
Recently, a technique similar to the above-mentioned one that controls the traffic amount is used as a countermeasure against unsolicited communications such as e-mails and worms.
For example, as shown in Japanese Patent Application Laid-open No. 2004-178541, known is a technique in which a large amount of e-mail transmission (unsolicited communications) is detected to inhibit an information transfer action, by causing an information delivery device (a transfer device) to perform filtering depending on the amount of received information (for example, the number of e-mails and the like).
Furthermore, as shown in “Unauthorized Access Detection and Tracking Method by Use of Traffic Pattern” pp. 1464-1473, the Japanese Journal of the Institute of Electronics, Information and Communication Engineers, vol. J84-B, No. 8, August, 2001, the following technique is known: when the number of packets abnormally increased is detected at a plurality of points in a data communications network, it is judged as a distributed denial of service (DDoS) attack, then identifying the network where the attack was originated by investigating the points retrospectively, and inhibiting the information transfer action.
Moreover, known is a technique which uses information for judgment called “signature”, which is created off line by general antivirus software, a firewall function and the like, to detect the unsolicited communications.
This technique needs to cause antivirus software and a firewall function to distribute the “signature” to each client, or needs to cause each client to download the “signature”.
However, the unsolicited communications detectable by the above “signature” is limited to already-known unsolicited communications.
In addition, as shown in “Basic of Mobile Communications”, Corona Publishing Co., Ltd., 1986, mobile communications (that is, communications in a form where a data communications device moves) need to select specific points (for example, an anchor node, a gateway, an edge node and the like) and to observe and administer each communication at the specific points.
It is also required that filtering control should be performed on the unsolicited communications by bringing in the “signature” and the like to the specific points.
Here, also conceived is to move the specific points. However, moving the specific points while holding the observation result is recognized to be a difficult technique.
Moreover, known is a technique in which a filter is created by widely gathering information from users in order to judge whether the communications are unsolicited or not.
Furthermore, when a number of users actually read received e-mails and judge them to be unsolicited communications with their own wills and behavior, in the technique, the above filter is configured to be changed by notifying predetermined devices of the fact to that effect.
However, the following problems are not solved by use of the conventional techniques with the countermeasures against unsolicited communications (bulk communications).
A first problem is the difficulty in processing on a suspected communication which appears for the first time (a communication suspected as an unsolicited communication), in real time.
The first problem is attributed to the facts that “the ‘signature’ used to detect a unsolicited communication such as a virus or a worm is created by analyzing the behavior of past unsolicited communications in a backyard” and that “a long period of time is required to collect notices related to the unsolicited communications (for example, unsolicited e-mails and the like) from users in a wide area, as in a case of a Web-mail service”.
A second problem is that it is actually difficult, in the mobile communication, to select specific points where the above filtering control is performed.
Generally, a judgment process (signature matching) by use of the above “signature” and behavior analyses on past unsolicited communications are performed by observing and administrating individual communications at the above specific points.
However, considering a situation in which there are: an increase in the traffic amount to be handled; a fragmentation of each data (an increase in the number of data of a small amount or data with a short holding time); an existence of a communications format such as the format of P2P; an existence of a communications format where a communications path in a data communications network is dynamically changed with a move of a data communications device; and the like, it is difficult to realize the above countermeasures against the unsolicited communications simply by performing an information process (a filtering control) in a fixed location on the communications path (that is, the specific point).
A third problem is that it is not possible to handle an unsolicited communication which becomes a large amount of data as a result of combining the data of a small amount, which are dispersedly generated from a wide area.
The third problem is attributed to the necessity of a certain number of suspected communications existing locally, in order to improve the sensitivity of detecting unsolicited communications.
A fourth problem is that the types of “signature (information for judgment)” used as a basis for judging a communication to be an unsolicited communication is limited, and that the judgment precision for unsolicited communications does not improve.
The amount of processing related to the extraction and distribution of “signature” in data transmitted via a suspected communication, and the amount of information to be collected for observing the behavior of past unsolicited communications, are enormous.
However, when real time processing on suspected communications is necessary, the above judgment should be made by use of information from a limited area, such as a communication (for example, an e-mail and the like) addressed to a specific user, and a communication (for example, an e-mail addressed to a user stored in the relevant mail server) reaching a specific device (for example, a gateway device such as a mail server, and the like). As a result, the precision for judging unsolicited communications does not improve.